Problem with start of auditd on 2.6.13-2smp machine

Lisa Giacchetti lisa at fnal.gov
Tue Jan 10 20:17:58 UTC 2006 


Steve Grubb wrote:
> On Tuesday 10 January 2006 14:31, Lisa Giacchetti wrote:
> 
>>So I installed 1.0.3-6 which did have auditd chkconfig'd off by default.
>>Add I rebooted. It did not work. Well I should say that auditd is not
>>running but the messages are still there.
> 
> 
> OK, your kernel does not have the patch, then. There's 3 options. You can try 
> for a newer kernel, or patch the one you are using, or use auditd to eat up 
> the messages but live with the error on boot. You will pay a performance 
> penalty for enabling the audit system. I can dig up the kernel patch if you 
> want to patch your kernel.
> 

Yes I think this would be good. At some point we may want/need to have
auditing on so having it installed correctly is a good path to follow.

> 
>>>Using 1.0.3 might be the best solution if you have a kernel without the
>>>patch to stop user space originating messages. Just set the log size low
>>>and tell it to suspend logging when the file gets too big.
>>>
>>>flush = INCREMENTAL
>>>freq = 50
>>>num_logs = 2
>>>max_log_file = 1
>>>max_log_file_action = SUSPEND
>>
>>Won't I still have the problem of the error on start up?
> 
> 
> Yes, but its harmless - your kernel doesn't support file system auditing.
> 
> 
>>Its like the -D option on line 5 is not a recognized option.
> 
> 
> It is recognized, the error message is somewhat misleading (I think it was 
> updated in later versions). It is saying that it tried to get the list of 
> files being watched and the kernel didn't understand.
> 
Good. I am comfortable with this.
> 
>>I really don't care about the error as long as I know that
>>things are configured to not really start auditing.
> 
> 
> Well, auditing comes in 2 layers. If auditing is enabled, all the syscalls 
> will pass through the audit system system for inspection. There is a 
> performance penalty for this. The other layer is when you have rules loaded 
> that may trigger events. This will result in kernel audit messages.
> 

Ok. I will keep this in mind if we decide turn auditd on before we
have the kernel patch. Some of these systems are already heavily
loaded and it might not be a good idea to do.

Thanks again for all your help!!

Lisa

> -Steve


-- 

Lisa Giacchetti
Fermilab Computing Division
USCMS Tier1 Facility Support
lisa at fnal dot gov | 1-630-840-8023

More information about the Linux-audit mailing list